ryuk | cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478

General

Target

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
Size

123KB
MD5

c22c2847e3318190b9c9f16dc4b044ca
SHA1

c6f8e944701b557a905754551cc939b9c4956bdc
SHA256

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478
SHA512

2f1e14bfd5134760a62db30980b8541ead8ffe1ac244e2699d46b255b36299d0e87aab8281b7a08b0c77a9da45ab7a812cbd42147fcdf00246fe6f4afe251012

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1608 icacls.exe
1248 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

1500 SCHTASKS.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1696 vssadmin.exe
Runs net.exe

pid	process
1608	icacls.exe
1248	icacls.exe

pid	process
1500	SCHTASKS.exe

pid	process
1696	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe

pid	process
1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe
Token: SeSystemProfilePrivilege	840	WMIC.exe
Token: SeSystemtimePrivilege	840	WMIC.exe
Token: SeProfSingleProcessPrivilege	840	WMIC.exe
Token: SeIncBasePriorityPrivilege	840	WMIC.exe
Token: SeCreatePagefilePrivilege	840	WMIC.exe
Token: SeBackupPrivilege	840	WMIC.exe
Token: SeRestorePrivilege	840	WMIC.exe
Token: SeShutdownPrivilege	840	WMIC.exe
Token: SeDebugPrivilege	840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	840	WMIC.exe
Token: SeRemoteShutdownPrivilege	840	WMIC.exe
Token: SeUndockPrivilege	840	WMIC.exe
Token: SeManageVolumePrivilege	840	WMIC.exe
Token: 33	840	WMIC.exe
Token: 34	840	WMIC.exe
Token: 35	840	WMIC.exe
Token: SeBackupPrivilege	1172	vssvc.exe
Token: SeRestorePrivilege	1172	vssvc.exe
Token: SeAuditPrivilege	1172	vssvc.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe
Token: SeSystemProfilePrivilege	840	WMIC.exe
Token: SeSystemtimePrivilege	840	WMIC.exe
Token: SeProfSingleProcessPrivilege	840	WMIC.exe
Token: SeIncBasePriorityPrivilege	840	WMIC.exe
Token: SeCreatePagefilePrivilege	840	WMIC.exe
Token: SeBackupPrivilege	840	WMIC.exe
Token: SeRestorePrivilege	840	WMIC.exe
Token: SeShutdownPrivilege	840	WMIC.exe
Token: SeDebugPrivilege	840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	840	WMIC.exe
Token: SeRemoteShutdownPrivilege	840	WMIC.exe
Token: SeUndockPrivilege	840	WMIC.exe
Token: SeManageVolumePrivilege	840	WMIC.exe
Token: 33	840	WMIC.exe
Token: 34	840	WMIC.exe
Token: 35	840	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.execmd.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1888 wrote to memory of 1500	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 1888 wrote to memory of 1500	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 1888 wrote to memory of 1500	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 1888 wrote to memory of 1500	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 1888 wrote to memory of 1828	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 628	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 628	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 628	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 628	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1108	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1108	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1108	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1108	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 364	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 364	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 364	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 364	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 1888 wrote to memory of 1608	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1608	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1608	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1608	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1248	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1248	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1248	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 1888 wrote to memory of 1248	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 628 wrote to memory of 1696	628	cmd.exe	vssadmin.exe
PID 628 wrote to memory of 1696	628	cmd.exe	vssadmin.exe
PID 628 wrote to memory of 1696	628	cmd.exe	vssadmin.exe
PID 628 wrote to memory of 1696	628	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 840	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 840	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 840	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 840	1828	cmd.exe	WMIC.exe
PID 1888 wrote to memory of 1128	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1128	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1128	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1128	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1236	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1236	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1236	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1236	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1400	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1400	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1400	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1400	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1964	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1964	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1964	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1888 wrote to memory of 1964	1888	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	net.exe
PID 1236 wrote to memory of 1524	1236	net.exe	net1.exe
PID 1236 wrote to memory of 1524	1236	net.exe	net1.exe
PID 1236 wrote to memory of 1524	1236	net.exe	net1.exe
PID 1236 wrote to memory of 1524	1236	net.exe	net1.exe
PID 1128 wrote to memory of 1116	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1116	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1116	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1116	1128	net.exe	net1.exe
PID 1964 wrote to memory of 1788	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1788	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1788	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1788	1964	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
"C:\Users\Admin\AppData\Local\Temp\cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "Print71" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\r9bQl.dll" /ST 10:25 /SD 02/21/2022 /ED 02/28/2022
2⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "WMIC.exe shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Qÿ
2⤵
- Modifies file permissions
PID:1608

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Qÿ
2⤵
- Modifies file permissions
PID:1248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Deletion

2

T1107

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads